Module 2

Cyber Attacks & Human Weakness

Before this module, my understanding of cybersecurity attacks was pretty one-dimensional, mostly visualizing a lone hacker brute-forcing passwords. I knew phishing and scams existed, sure, but I didn’t realize just how naively people fall for them.

It uncovered the human layer of cyber attacks- the manipulation, the psychology, the engineering of trust.

Code is the means. Trust is the weakness.

What I learned

Social Engineering Is Terrifying

Code may execute attacks, but it’s human behavior, poor configurations, and social manipulation that open the door. Social engineering works because people trust, we trust logos, email signatures, uniforms, phone voices, and anything that feels familiar or urgent.
Attackers weaponize that.

Like the “LoveLetter” virus?
It wasn’t just malware. It was a love note turned digital grenade. 45 million people opened that attachment. Why? Curiosity. Emotion. Human error.

Malware has types and roles

As a computer science grad, I was already familiar with the usual suspects: viruses, worms, ransomware, spyware. But what I hadn’t really thought about was why attackers choose one over the other and when.

  • Viruses – Need human interaction to activate. Often used when the goal is to exploit user behavior, curiosity, carelessness, or routine.
  • Worms – pread autonomously. Ideal for rapid, large-scale disruption without needing user input.
  • Ransomware – Straightforward: encrypt, demand payment. It’s the go-to for profit-driven attacks with high emotional leverage.
  • Spyware – Silent and persistent. Perfect for long-term surveillance or data theft that needs to stay undetected.

What this module did was connect the dots between technical mechanisms and psychological strategy. It’s not just about how malware works, it’s about how attackers think.

Phishing Has Variants

The obvious scams are easy to spot like fake lottery wins, fake job offers, royalty in distress, classic bait. But phishing has evolved into something far more calculated:

  • Spear Phishing – Personalized attacks using your name, company, or even context from LinkedIn. It’s like the attacker studied you.
  • Whaling – Aimed at executives like CEO, CFO (big phish = big impact)
  • Smishing/Vishing – Texts and phone calls pretending to be banks or support teams.
  • BEC (Business Email Compromise) – Faking your boss and asking you to urgently wire money or share documents.

What stood out isn’t just the variety, it’s how tailored these attacks are. Phishing is less about hacking systems, and more about hacking people.

This is exactly why security awareness training exists- not to be cautious, but to be ready.

Other Social Engineering Attacks (Beyond Phishing)

Here’s the twist: Not all social engineering attacks come via inboxes.

Watering Hole Attacks

You know how animals gather at a waterhole to drink, and predators just wait nearby instead of chasing them down? That’s exactly how this attack works. They compromise a website you trust and wait for you to show up. Once you visit, boom…you’re hit with malware.

Baiting

They leave infected USB drives in parking lots, hoping you’ll pick one up and plug it in “just to see what’s on it.”

Physical social engineering

When attackers manipulate people in person by pretending to be staff, vendors, or maintenance workers to gain access to secure places, devices, or data. It’s about exploiting trust face to face, not online.

Real-World Cyber Attacks

Morris Worm (1988)

One guy tried to count internet-connected computers… and accidentally brought down 10% of the internet by creating a worm that kept reinstalling itself. This led to the creation of CERTs (Computer Emergency Response Teams).
One tiny script. Massive impact.

ILOVEYOU Virus (2000)

Disguised as a love letter. Spread by emailing itself to your contacts. Infected 45+ million computers. Caused $10+ billion in damage.
This was the social engineering attack that made the world take notice.

*Brain Virus (1986)**

Made by two brothers in Pakistan to stop software piracy.
Problem? It spread through floppy disks worldwide.
Lesson: Even “good intentions” can cause global chaos.

Equifax Breach (2017)

147 million people affected, exposed names, SSNs, credit cards. All because someone didn’t patch a known vulnerability.
This one haunts me. It wasn’t a genius hack. It was… laziness.

Threat vs. Attack: Where Does Social Engineering Fit?

At first, it was confusing- is phishing a threat or an attack?

Here’s how I made sense of it:

  • A threat is the possibility of something bad happening, like knowing attackers might target your company through employee emails.
  • An attack is when that threat actually happens like someone sending a fake HR email to steal login credentials.

So phishing usually starts as threats.
But the moment someone falls for it and clicks that link? It becomes an attack.

It’s the difference between a fire could happen and your kitchen actually catching fire.

What I Want to Explore Next

  • Hacktivism – Hacking with a cause. Anonymous, WikiLeaks- digital protest or cybercrime? It’s murky but fascinating.

  • Incident Response – When systems fail, how do teams recover? I want to learn what happens after the red alert.

  • Threat Actor Profiles – Nation-state hackers. Insider threats. APTs (Advanced Persistent Threats). I want to study how these people think.

  • Psychology of Trust Online – Why do we fall for scams? What makes something “feel” safe when it’s not?

What Stood Out to Me

  • Humans are the weakest link. It’s not the end-to-end encrypted WhatsApp chats we should worry about. It’s us clicking random links, downloading shady files.
  • Tiny things = huge damage. A single USB or unpatched software can cause millions in losses.

My Honest Thoughts

I used to scroll past news like “Your password was in a breach”. Now I stop and think. I ask: How did it happen? Could it have been prevented?

I’m just really curious now. The more I understand how these attacks work, the harder it is to fall for them. Feels like I’m finally seeing things I used to miss.

Next Up

On to Module 3: laws, frameworks, and ethics. Now that I know who’s trying to break in, it’s time to learn how to build the wall.

Let’s go.

Module 1 – Stepping into the Cybersecurity World     Module 3 – The Rules, The Ethics, The Frameworks